[chore](tools) Add release helper scripts for cutting a source release candidate#64062
Conversation
…e candidate Add tools/release-tools/, a set of helper scripts for a Release Manager to cut an Apache Doris source release candidate in three steps: - 00-check-env.sh: check/prepare the GPG signing environment and ASF credentials - 10-package-sign-upload.sh: git-archive the tag, GPG-sign, sha512, upload to the dev SVN - 20-vote-mail.sh: generate the [VOTE] email draft - release.env: shared config (version, paths, signing key, SVN URLs, email) - README.md: usage These are standalone RM helper scripts and are not part of the build or product runtime. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
|
run skipall |
|
run skipall |
|
run buildall |
…tleaks tools/release-tools/release.env legitimately carries a public GPG key fingerprint in SIGNING_KEY; gitleaks' generic-api-key rule flagged it as a secret. Add a path+line allowlist scoped to that file, matching the style of the existing test-fixture allowlists under the same rule. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
run buildall |
|
run buildall |
…template Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
run buildall |
|
/review |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary: I found release-tool workflow issues that should be fixed before merging. The main blocker is that the source-release packaging path is documented as source-only/optional for binaries, but the default config makes three binary artifacts mandatory and aborts before upload if they are absent. The vote draft also unconditionally advertises hard-coded binary URLs and hard-codes a signer display name, which can produce an incorrect public VOTE email for any configuration that differs from this one.
Critical checkpoint conclusions:
- Goal/test: The goal is to provide reusable release-manager helper scripts. Basic shell syntax passes with bash -n, but the default source-release flow is not proven and currently fails unless binary artifacts exist.
- Scope/clarity: The change is focused under tools plus config, but the reusable configuration is not consistently used by the email generator.
- Concurrency/lifecycle: No concurrent runtime code or special lifecycle management involved.
- Configuration: New release.env config is central to the feature; several generated outputs ignore or contradict it.
- Compatibility/storage/transactions/FE-BE: Not applicable; no product runtime paths changed.
- Tests/results: No automated functional test is included; for these scripts, at least bash -n was checked locally, but an end-to-end dry run/source-only path would be needed after fixes.
- Observability: Script output is generally adequate for an RM workflow.
- User focus: No additional user-provided review focus was supplied.
| # Step 02 writes a .asc signature and a .sha512 checksum NEXT TO each file below. | ||
| # These are NOT uploaded by the scripts and are NOT part of the source-only vote SVN; | ||
| # you upload the binaries together with their .asc/.sha512 yourself, wherever they go. | ||
| # Set absolute paths to your three prebuilt binary tarballs (adjust the directory): |
There was a problem hiding this comment.
This default makes binary signing mandatory even though the PR/README describe a source-release workflow where BIN_FILES is optional and can be left empty. With this file as committed, 02-package-sign-upload.sh computes bin_count=3 and dies on the first missing ${WORK_DIR}/apache-doris-${VERSION}-bin-*.tar.gz before reaching the dev SVN upload. Please make the default BIN_FILES=() and leave these paths as commented examples, or otherwise gate binary signing so the source-only path works out of the box.
| The artifacts (source, signature and checksum) corresponding to this release | ||
| candidate can be found here: | ||
| ${DEV_SVN_DIR}/ | ||
|
|
There was a problem hiding this comment.
The vote draft always advertises these three hard-coded convenience binary URLs, independent of BIN_FILES and independent of whether the RM actually signed/uploaded binaries. That contradicts the optional binary flow and can produce a public VOTE email with broken or stale links. The email should derive this section from configured/uploaded binary artifacts, or omit/prompt for it when binaries are not part of the RC.
| ${VERIFY_GUIDE_URL} | ||
|
|
||
| The vote will be open for at least 72 hours. | ||
| [ ] +1 Approve the release |
There was a problem hiding this comment.
The scripts make APACHE_ID and APACHE_EMAIL configurable, but the generated mail still hard-codes Mingyu Chen. If another RM edits release.env, the draft signs their vote email with someone else's display name. Please move the display name to release.env or prompt/derive it consistently with the configured Apache identity.
github-actions
Bot
added
the
approved
|
PR approved by at least one committer and no changes requested. |
…email Fixes the three review comments on apache#64062: - release.env: default BIN_FILES=() so the documented source-only flow works out of the box (02 no longer dies on missing binaries); keep the example paths as comments. Add BIN_DOWNLOAD_BASE and SIGNER_NAME config vars. - 03-vote-mail.sh: derive the convenience-binary section from BIN_FILES and omit it when the list is empty, instead of hard-coding URLs; use ${SIGNER_NAME} for the signature instead of a hard-coded name. - README: document SIGNER_NAME / BIN_DOWNLOAD_BASE and the empty-by-default BIN_FILES behavior. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
github-actions
Bot
removed
the
approved
|
run buildall |
|
/review |
2 participants
What problem does this PR solve?
Problem Summary:
Add
tools/release-tools/, a set of helper scripts for a Release Manager (RM) to cut an Apache Doris source release candidate in three steps:01-check-env.sh— check / prepare the GPG signing environment and ASF credentials.02-package-sign-upload.sh—git archivethe tag, GPG-sign, generate sha512, upload to the dev SVN.03-vote-mail.sh— generate the[VOTE]email draft.release.env— shared config (version, paths, signing key, SVN URLs, email); edit per release.README.md— usage.The scripts are reusable across releases (everything version-specific lives in
release.env). Branch prep, issue cleanup, patch merges and tag creation are out of scope.Release note
None
Check List (For Author)
Test
tools/; not part of the build or product runtime.Behavior changed:
Does this need documentation?
README.mdis included in this PR.)